Spyware Infection

[coug1984]

Hello,
The last time I used your service, it was for a friend. This time, my son was playing an online game and completely locked up my machine. After running a couple antivirus programs in safe mode as I was unable to boot up in normal mode, I was able to start up in normal mode. I am getting a tray window popping up saying my computer is infected with spyware and to click the window to download "special" tools to prevent data loss. I have not done this as I believe this is all part of the Malware. I have tried to download GMER form numerous sites, but the program will not run. I was able to download DDS and run it and get the two reports. I have attached these. Thanks in advance for your help.
Coug

DDS (Version 1.0) - NTFSx86
Run by John at 8:21:23.17 on Tue 11/11/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.567 [GMT -8:00]

=============== Created Last 30 ================

2008-11-11 07:42 5,120 a------- c:\windows\brastk.exe
2008-11-11 07:24 32,768 a------- c:\windows\system32\drivers\ati3isxx.sys
2008-11-10 22:23 32,768 a------- c:\windows\system32\drivers\ati3fsxx.sys
2008-11-10 22:18 32,768 a------- c:\windows\system32\drivers\ati6yhxx.sys
2008-11-10 21:20 125,883 a------- c:\windows\system32\wini108023.exe
2008-11-10 21:19 32,768 a------- c:\windows\system32\drivers\ati8rmxx.sys
2008-11-10 21:19 6,144 a------- c:\windows\system32\karna.dat
2008-11-10 21:19 6,144 a------- c:\windows\karna.dat
2008-11-10 21:16 23,040 a------- c:\windows\system32\dllcache\beep.sys
2008-11-10 21:16 114 a------- c:\windows\system32\delself.bat
2008-11-10 21:16 5,120 a------- c:\windows\system32\brastk.exe
2008-11-10 21:11 3,352 a------- c:\windows\system32\TDSSnjvt.dll
2008-11-10 21:11 73,728 a------- c:\windows\system32\TDSSklfy.dll
2008-11-10 21:11 31,232 a------- c:\windows\system32\TDSSoiwg.dll
2008-11-10 21:11 29,696 a------- c:\windows\system32\TDSSwrln.dll
2008-11-10 21:11 527 a------- c:\windows\system32\TDSSrpnv.dat
2008-11-10 21:11 35,840 a------- c:\windows\system32\TDSSarju.dll
2008-11-10 21:11 60,416 a------- c:\windows\system32\drivers\TDSSgfqw.sys
2008-11-10 21:10 2 a------- C:\-598491797
2008-11-10 21:09 <DIR> --d----- c:\temp\PRE45
2008-10-23 18:22 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 16:48 333,824 -------- c:\windows\system32\dllcache\srv.sys
2008-10-14 16:47 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2008-10-14 16:47 2,145,280 -------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 16:47 2,189,184 -------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 16:47 2,066,048 -------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-14 16:47 2,023,936 -------- c:\windows\system32\dllcache\ntkrpamp.exe

================== Find3M ==================

2008-11-11 08:14 <DIR> --d----- c:\docume~1\john\applic~1\DNA
2008-11-11 07:42 <DIR> --d----- c:\program files\FirstClass
2008-10-04 07:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\FirstClass
2008-10-02 20:31 <DIR> --d----- c:\docume~1\john\applic~1\ZoomBrowser EX
2008-10-02 20:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZoomBrowser
2008-09-15 14:46 <DIR> --d----- c:\program files\DNA
2008-09-15 04:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-07 17:24 <DIR> --d----- c:\docume~1\john\applic~1\BitTorrent
2008-09-07 13:03 <DIR> --d----- c:\docume~1\john\applic~1\StumbleUpon
2008-09-01 19:40 89,343 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-08-19 21:30 3,067,904 -------- c:\windows\system32\dllcache\mshtml.dll
2008-08-19 21:30 619,520 -------- c:\windows\system32\dllcache\urlmon.dll
2008-08-19 21:30 666,112 a------- c:\windows\system32\wininet.dll
2008-08-19 21:30 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2008-08-19 21:30 666,112 -------- c:\windows\system32\dllcache\wininet.dll
2008-08-14 02:09 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2008-08-14 02:04 138,496 -------- c:\windows\system32\dllcache\afd.sys
2008-08-14 01:33 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2008-07-12 17:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2008-06-16 15:30 <DIR> --d----- c:\docume~1\john\applic~1\Move Networks
2008-05-15 00:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell
2008-02-28 22:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2008-01-31 06:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SupportSoft
2007-12-03 17:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McNeel
2007-10-23 20:17 <DIR> --d----- c:\docume~1\john\applic~1\AVS4YOU
2007-10-23 20:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2007-09-07 05:57 <DIR> --d----- c:\docume~1\john\applic~1\Smart Panel
2007-09-01 06:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2007-07-04 13:08 <DIR> --d----- c:\docume~1\john\applic~1\Snapfish
2007-02-10 20:56 <DIR> --d----- c:\docume~1\john\applic~1\FunWebProducts
2007-02-08 20:29 <DIR> --d----- c:\docume~1\john\applic~1\Viewpoint
2006-11-30 14:47 <DIR> --d----- c:\docume~1\john\applic~1\MySpace
2006-10-10 20:51 <DIR> --d----- c:\docume~1\john\applic~1\iMesh
2006-08-29 14:30 <DIR> --d----- c:\docume~1\john\applic~1\EBookSys
2006-08-08 19:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2006-07-27 21:32 <DIR> --d----- c:\docume~1\john\applic~1\Corel Photo Album
2006-07-17 21:14 <DIR> --d----- c:\docume~1\john\applic~1\Symantec
2006-07-17 21:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Creative Labs
2007-07-25 07:54 88 ---shr-- c:\windows\system32\E5BA678971.sys
2007-07-25 07:54 3,766 a--sh--- c:\windows\system32\KGyGaAvL.sys

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [SetDefaultMIDI] MIDIDef.exe
uRun: [Creative Detector] "c:\program files\creative\mediasource\detector\CTDetect.exe" /R
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [DMXLauncher] c:\program files\dell\media experience\DMXLauncher.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [MBMon] Rundll32 CTMBHA.DLL,MBMon
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [VoiceCenter] "c:\program files\creative\voicecenter\AndreaVC.exe" /tray
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [EPSON Stylus CX5400] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
mRun: [iRiver Updater] \Updater.exe
mRun: [Auto EPSON Stylus CX5400 on VAIO] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2g1.exe /p32 "auto epson stylus cx5400 on vaio" /o14 "\\vaio\Printer" /M "Stylus CX5400"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
StartupFolder: c:\docume~1\john\startm~1\programs\startup\memoni~1.lnk - c:\program files\verizon wireless\v cast music manager\MEMonitor.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
mPolicies-system: InstallVisualStyle = c:\windows\resources\themes\royale\Royale.msstyles
mPolicies-system: InstallTheme = c:\windows\resources\themes\Royale.theme
IE: &Search - http://edits.mywebsearch.com/toolbar...p=ZKxdm021YYUS
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Filter: text/html - {db1c43c3-bd93-4815-8e63-106b989dd4ef} -
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui -igfxdev.dll
AppInit_DLLs: karna.dat
SSODL: {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ==============

R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;c:\windows\system32\drivers\wg11tnd5.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.sys
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\ATHFMWDL.sys

============= FINISH: 8:22:00.92 ===============

[Angelfire777]

Hi, welcome to TSF!

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[coug1984]

Hello,
I got an error when it tried to put in the recovery console, but it ran the scan and here is the log. Also, when my computer started back up, it seems to already be running better. My McAfee was able to start now and is running. I'm also not getting the pop-up from the tray icons that says I need to download "special" malware software. You guys are great, and I await your next instruction.

ComboFix 08-11-10.01 - John 2008-11-11 20:16:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.525 [GMT -8:00]
Running from: c:\documents and settings\John\Desktop\ComboFxx.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\John\LOCALS~1\Temp\prun.exe
c:\docume~1\John\LOCALS~1\Temp\snapsnet.exe
c:\documents and settings\John\Application Data\FunWebProducts
c:\documents and settings\John\Application Data\FunWebProducts\Data\John\avatar.dat
c:\program files\Common\helper.sig
c:\windows\brastk.exe
c:\windows\Downloaded Program Files\setup.inf
c:\windows\IE4 Error Log.txt
c:\windows\karna.dat
c:\windows\system32\brastk.exe
c:\windows\system32\DelSelf.bat
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\drivers\ati3fsxx.sys
c:\windows\system32\drivers\ati3isxx.sys
c:\windows\system32\drivers\ati6yhxx.sys
c:\windows\system32\drivers\ati8rmxx.sys
c:\windows\system32\Drivers\TDSSgfqw.sys
c:\windows\system32\karna.dat
c:\windows\system32\MSINET.oca
c:\windows\system32\pac.txt
c:\windows\system32\TDSSarju.dll
c:\windows\system32\TDSSklfy.dll
c:\windows\system32\TDSSnjvt.dll
c:\windows\system32\TDSSoiwg.dll
c:\windows\system32\TDSSrpnv.dat
c:\windows\system32\TDSSwrln.dll
c:\windows\system32\TDSSwwbr.log
c:\windows\system32\wini108023.exe


.
((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-10 21:10 . 2008-11-10 21:10 2 --a------ C:\-598491797
2008-11-10 21:09 . 2008-11-10 21:09 <DIR> d-------- c:\temp\PRE45
2008-10-23 18:22 . 2008-10-15 08:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll
2008-10-14 16:48 . 2008-09-08 02:41 333,824 --------- c:\windows\system32\dllcache\srv.sys
2008-10-14 16:47 . 2008-08-14 02:11 2,189,184 --------- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-14 16:47 . 2008-08-14 02:09 2,145,280 --------- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-14 16:47 . 2008-08-14 01:33 2,066,048 --------- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-14 16:47 . 2008-08-14 01:33 2,023,936 --------- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-14 16:47 . 2008-09-15 04:12 1,846,400 --------- c:\windows\system32\dllcache\win32k.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 04:23 --------- d-----w c:\program files\DNA
2008-11-12 04:23 --------- d-----w c:\documents and settings\John\Application Data\DNA
2008-11-12 04:16 --------- d-----w c:\program files\Common
2008-11-11 15:42 --------- d-----w c:\program files\FirstClass
2008-11-07 03:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-07 02:16 --------- d-----w c:\program files\Google
2008-10-04 15:27 --------- d-----w c:\documents and settings\All Users\Application Data\FirstClass
2008-10-03 04:31 --------- d-----w c:\documents and settings\John\Application Data\ZoomBrowser EX
2008-10-03 04:30 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-09-15 12:24 94,624 ----a-w c:\documents and settings\John\Application Data\GDIPFONTCACHEV1.DAT
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-12 13:21 --------- d-----w c:\program files\McAfee
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
2007-07-25 15:54 88 --sh--r c:\windows\system32\E5BA678971.sys
2007-07-25 15:54 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-11-11 342336]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-17 169984]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-26 99840]
"iRiver Updater"="\Updater.exe" [2004-07-01 212992]
"Auto EPSON Stylus CX5400 on VAIO"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-26 99840]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-07-17 26112]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL]

c:\documents and settings\John\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2007-09-28 947544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-10-02 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Documents and Settings\\John\\Desktop\\Joe\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\wg11tnd5.sys [2004-10-14 285216]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2005-11-20 16512]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2004-10-14 43392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\uvdz09gw.default\
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\DNA\plugins\npbtdna.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 20:23:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> c:\program files\ArcSoft\Software Suite\PhotoImpression 5\share\pihook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\docume~1\John\LOCALS~1\Temp\clclean.0001
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Updater.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopOE.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-11-11 20:35:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-12 04:34:52

Pre-Run: 13,990,674,432 bytes free
Post-Run: 13,918,834,688 bytes free

209 --- E O F --- 2008-10-24 10:01:03

[Angelfire777]

Hi,

Did you take note of the exact error?

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System




Download the file & save it as it's originally named, next to ComboFix.exe.






Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

• Drag the setup package onto ComboFix.exe and drop it.
  
• Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  
• At the next prompt, click 'No' and do not run another combofix scan.
  
  
  
• When the tool is finished, it will produce a report for you.

Please post the contents of the log that it created.

[coug1984]

OK,
Here is the log report after installing the Recovery Console. Seemed to go fine.

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

[Angelfire777]

Hi,

It seems that you installed the wrong package for recovery console. Media Center edition is based on XP Pro.

Please follow the steps below to remove recovery console. Follow the instructions on my previous post again and this time, make sure you download the XP Pro package.

This file must be present - C:\Boot.bak.
It is a backup of the machine's previous Boot.ini. Do not proceed if it's not present

1) Right click on current copy of C:\Boot.ini & select 'Properties'. Then remove the file's 'Read-Only' attibute

2) Rename C:\Boot.ini to C:\Boot.old (Do not delete it)

3) Rename C:\Boot.bak to C:\Boot.ini

4) Right click on the new C:\Boot.ini & select 'Properties'. Then make the file 'Read-Only'

5) Reboot the machine. You will note that the Recovery Console is no longer an option on the Boot Menu

6) Delete the folder - C:\CmdCons

7) Delete C:\Boot.old


WARNING - Failure to strictly adhere to the above instructions may result in an unbootable machine.

[coug1984]

I have found the C:\Boot.bak file, but I can not find either the C:\Boot.ini or C:\CmdCons files. Until I hear from you, I am not going to make any changes.
Thanks.

[Angelfire777]

Are you sure cmdcons is not present?

Is your system configured to show hidden files? If not, please follow the steps below:

• Click Start.
• Open My Computer..
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the "Hidden files and folders" heading select Show hidden files and folders.
• Uncheck the Hide Protected Operating System Files Option.
• Click Yes to confirm.
• Click OK.

[coug1984]

OK,
I was able to do everything but delete the folder CmdCons. I get this message:
Cannot Delete 1394BUS.SY_: Access is denied

[Angelfire777]

That's odd.. those files shouldn't be in use..

boot to safe mode then delete the folder from there.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.

[coug1984]

Hello,
I started up in Safe Mode and was still unable to delete CmdCons folder. For more information, the folder has a slightly transparent look compared to other folders. Also, McAfee has started blocking a program (PUP). I should have written down the name of it before I restarted because the window has now disappeared. But it says the bad file is located in C:\System volume information\ which is a folder that I can not access and is also slightly transparent. I don't know if that matters at all, but I thought I should let you know.

[Angelfire777]

Hi,

Can you try running gmer again then post its log?

Don't worry about the system volume information folder. That's your system restore cache. We will reset it when you're clean.

[coug1984]

Hi,
This is the message McAfee is giving me, followed by a new GMER log. Again, thank you for your help.

About this Potentially Unwanted Program
Name: Tool-NirCmd
Location: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP897\A0084533.com


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-11-14 21:30:03
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateFile [0xAA3AF9AA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateKey [0xAA3AFA41]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcess [0xAA3AF958]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwCreateProcessEx [0xAA3AF96C]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteKey [0xAA3AFA55]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xAA3AFA81]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateKey [0xAA3AFAEF]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwEnumerateValueKey [0xAA3AFAD9]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xAA3AF9EA]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwNotifyChangeKey [0xAA3AFB1B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenKey [0xAA3AFA2D]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenProcess [0xAA3AF930]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwOpenThread [0xAA3AF944]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwProtectVirtualMemory [0xAA3AF9BE]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryKey [0xAA3AFB57]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryMultipleValueKey [0xAA3AFAC3]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwQueryValueKey [0xAA3AFAAD]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRenameKey [0xAA3AFA6B]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwReplaceKey [0xAA3AFB43]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwRestoreKey [0xAA3AFB2F]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetContextThread [0xAA3AF996]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetInformationProcess [0xAA3AF982]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwSetValueKey [0xAA3AFA97]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwTerminateProcess [0xAA3AFA19]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnloadKey [0xAA3AFB05]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xAA3AFA00]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) ZwYieldExecution [0xAA3AF9D4]
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtCreateFile
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtMapViewOfSection
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenProcess
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtOpenThread
Code \SystemRoot\system32\drivers\mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.) NtSetInformationProcess

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (Host Intrusion Detection Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.)

---- EOF - GMER 1.0.14 ----

[Angelfire777]

Don't worry about what Mcafee is reporting. It's actually a safe tool used by combofix.

I want to check why the cmdcons folders is being used by something else.

Please download Unlocker

Save it to your desktop..

Double click it to install.

After installing, navigate to this folder: C:\cmdcons right click it & select`Unlocker'.

Use print screen so I can see which process is using it. If you need instructions for that, please see this article: http://www.techsupportforum.com/cont...icles/151.html

[coug1984]

Hello,
I get this message when using Unlocker, and I did try to use the delete feature to delete the folder, but that did not work. Again, thank you for your time.

shot.JPG

[Angelfire777]

Hi,

I think we've spent a fair amount of time trying to figure out what's happening there. Let's proceed and clean your computer now.

I see you have P2P software ( BitTorrent, DNA (part of bittorrent) ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here, and here.

I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> add/remove programs

If you decide to uninstall the p2p application, also delete these Folders if they still exist:

C:\Program Files\bittorrent
C:\Program Files\DNA
c:\documents and settings\John\Application Data\DNA
________

*Open notepad.
Copy and paste the text inside the code box below to notepad

Code:

File::
C:\-598491797
C:\Boot.old
Folder::
c:\temp\PRE45
C:\cmdcons
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000

• Save and Name it as "CFScript"
• Drag and drop CFScript.txt to your copy of combofix.
• You can take a look at the image below if you're unsure on how to do it.
  
• Combofix wil restart your machine then it will produce a log afterwards.

________

Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.

• Click Start > Control Panel
• Click Add/Remove Programs
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove button.
• Repeat as many times as necessary to remove all versions of Java.
• Reboot your computer once all Java components are removed.

Then download Java Runtime Environment 6u10, and install it to your computer.

• Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

_________

Download ATF Cleaner by Atribune

Important: Make sure all your browsers are closed before running ATF Cleaner..

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose:Select All
• Click the Empty Selected button.
• NOTE: If you would like to keep your saved passwords, please click
• No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
• NOTE:If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
__________

Please run this online scan to help look for remnants.

First, Go to Start>Control Panel>Add/Remove Programs and remove Kaspersky online scanner if present prior to downloading the most up-to-date one.

Next, establish an internet connection & perform an online scan using Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

On your next reply, please include a

• kaspersky scan log
• combofix log

[coug1984]

OK,
I removed Bittorrent (don't know what it is, or how it got there), updated my Java, placed the script in Combofix, ran the ATF Cleaner, and produced the kaspersky log. I had to run kaspersky twice because the first time I ran it without an internet connection, it shut down at the end before giving me the log. So I ran it again and stayed connected to the net and it then finished and gave me the report. Below are the requested logs.

ComboFix 08-11-10.01 - John 2008-11-16 18:40:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.558 [GMT -8:00]
Running from: c:\documents and settings\John\Desktop\ComboFxx.exe
Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\-598491797
C:\Boot.old
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-598491797
c:\temp\PRE45

.
((((((((((((((((((((((((( Files Created from 2008-10-17 to 2008-11-17 )))))))))))))))))))))))))))))))
.

2008-11-16 07:02 . 2008-11-16 07:02 <DIR> d-------- c:\program files\Unlocker
2008-11-14 21:29 . 2008-11-14 21:29 250 --a------ c:\windows\gmer.ini
2008-11-12 13:22 . 2008-09-04 09:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 13:22 . 2008-10-24 03:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 18:22 . 2008-10-15 08:34 337,408 --------- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 04:16 --------- d-----w c:\program files\Common
2008-11-11 15:42 --------- d-----w c:\program files\FirstClass
2008-11-07 03:43 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-07 02:16 --------- d-----w c:\program files\Google
2008-10-04 15:27 --------- d-----w c:\documents and settings\All Users\Application Data\FirstClass
2008-10-03 04:31 --------- d-----w c:\documents and settings\John\Application Data\ZoomBrowser EX
2008-10-03 04:30 --------- d-----w c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:24 94,624 ----a-w c:\documents and settings\John\Application Data\GDIPFONTCACHEV1.DAT
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-20 05:30 666,112 ----a-w c:\windows\system32\wininet.dll
2008-08-20 05:30 666,112 ------w c:\windows\system32\dllcache\wininet.dll
2008-08-20 05:30 619,520 ------w c:\windows\system32\dllcache\urlmon.dll
2008-08-20 05:30 3,067,904 ------w c:\windows\system32\dllcache\mshtml.dll
2008-08-20 05:30 1,499,136 ------w c:\windows\system32\dllcache\shdocvw.dll
2007-07-25 15:54 88 --sh--r c:\windows\system32\E5BA678971.sys
2007-07-25 15:54 3,766 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-11-11_20.34.16.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-10 01:10:56 1,379,840 ----a-w c:\windows\$hf_mig$\KB954459\SP3QFE\msxml6.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB954459\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB954459\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB954459\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB954459\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB954459\update\updspapi.dll
+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2008-11-15 05:29:34 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 05:13:02 811,008 ----a-r c:\windows\gmer.exe
+ 2008-11-13 11:00:58 32,768 ----a-r c:\windows\Installer\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}\icon.exe
- 2008-11-12 0142 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-17 01:35:25 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-12 0142 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-17 01:35:25 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-15 05:29:34 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2008-10-05 03:16:26 235,936 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10a.exe
- 2008-06-17 03:32:29 74,137 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2008-11-13 14:17:32 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2008-10-07 19:19:40 16,721,856 ----a-w c:\windows\system32\MRT.exe
+ 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
- 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-10-01 00:42:08 1,286,152 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9870.0_x-ww_a32d74cf\msxml4.dll
+ 2008-10-01 00:45:12 91,656 ----a-w c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.1.0_x-ww_2a41bceb\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 c:\windows\MIDIDEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 94208]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-09-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-10 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-09-19 1159168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-07-17 169984]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 1117184]
"EPSON Stylus CX5400"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-26 99840]
"iRiver Updater"="\Updater.exe" [2004-07-01 212992]
"Auto EPSON Stylus CX5400 on VAIO"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" [2003-05-26 99840]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-07-17 26112]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-11-01 582992]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"MBMon"="CTMBHA.DLL" [2005-05-19 c:\windows\system32\CTMBHA.DLL]

c:\documents and settings\John\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2007-09-28 947544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-10-02 25214]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= c:\windows\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= c:\windows\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\SAGENT4.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 AR5523;NETGEAR WG111T USB2.0 Wireless Card Service;c:\windows\system32\DRIVERS\wg11tnd5.sys [2004-10-14 285216]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2005-11-20 16512]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2004-10-14 43392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2008-11-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 12:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitTorrent DNA - c:\program files\DNA\btdna.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 18:47:37
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\explorer.exe
-> c:\program files\Unlocker\UnlockerHook.dll
-> c:\progra~1\Google\GOOGLE~1\GOA66E~1.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\rundll32.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\docume~1\John\LOCALS~1\Temp\clclean.0001
C:\Updater.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
c:\windows\system32\dllhost.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopOE.exe
c:\windows\ehome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-11-16 18:58:55 - machine was rebooted [John]
ComboFix-quarantined-files.txt 2008-11-17 02:58:43
ComboFix2.txt 2008-11-12 04:35:07

Pre-Run: 13,613,477,888 bytes free
Post-Run: 13,600,788,480 bytes free

206 --- E O F --- 2008-11-13 11:04:00


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 16, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 16, 2008 19:31:41
Records in database: 1388279
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 93203
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:26:16


File name / Threat name / Threats count
C:\Program Files\ZangoToolbar\ZangoInstaller.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ao 1

The selected area was scanned.

[Angelfire777]

Hi,

Quote:

I removed Bittorrent (don't know what it is, or how it got there)

Bittorrent is a peer to peer application.


I see you didn't upadate java.. Please update it as old versions have vulnerabilities in them that malware can use to enter your system.


delete this folder using windows explorer: C:\Program Files\ZangoToolbar

How is your computer running?

[coug1984]

Hello Again,
My computer seems to be running good. The only thing I would like to make sure we clean out is the program that keeps making McAfee pop up with this:

About this Potentially Unwanted Program
Name: Tool-NirCmd
Location: C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP897\A0084533.com

You mentioned that this is part of ComboFix. Will we be cleaning this out at the end of all this? I sure appreciate your time. I will be donating at the end of this. This is just an awsome site. Oh, I also updated Java and deleted the Zango folder.

John

[Angelfire777]

Hi,

Quote:

I will be donating at the end of this.

Thank you for your generosity. :)

Quote:

Will we be cleaning this out at the end of all this?

Yes.

The following step should clean all that for you.


Click start > run > copy and paste:

combofix /u

That will hide your system files, clear your system restore cache and uninstall combofix.


Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

And miekiemoes' "How to Prevent Malware"

Happy safe surfing!

Note: Please reply to this thread one last time so I could mark it as resolved.